Target IP: 10.10.191.61
There are three TCP ports open on the target machine. It seems like the target machine is running a Windows machine.
Port 8080: HTTP
There is a web application on this port. Browsing to this port requests me to login with a username and password. From the nmap scans, and curl request above, it looks like the target machine is running ThinVNC application. Trying default credentials such as admin:admin did not work.
This application is vulnerable to arbitrary file access. And this article contains the PoC that can be used to access the credential of this application.
Following the article's PoC, I managed to obtain the credential Atlas:H0ldUpTheHe@vens by sending a request to /admin/../../ThinVnc.ini. Now I have the credential, I should be able to login to the ThinVnc application.
And using the credential I obtained, I gained access to the application. It looks like I can input an IP of the machine I wish to connect to; therefore, I should be able to connect to the target machine using the IP 10.10.191.61.
And bingo! I have a VNC session over the Windows target machine. Using the credentials, I should be able leverage this to an RDP session on port 3389 which is open on the target machine.
Using the command xfreerdp /v:10.10.191.61 /u:Atlas /p:H0ldUpTheHe@vens /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp, I gained an RDP session over the target machine with the session as atlas. Now I have a foothold on the target machine.
After some manual enumeration, it looks like the target is vulnerable to the Windows Print Spooler Remote Code Execution. I transferred this exploit to the machine and ran it successfully. This exploit created the account adm1n:p@ssw0rd with admin privileges.
Using the command Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential adm1n, I started a Powershell session as the new admin user. And it looks like this user is a member of group Administrators! Now I have full access over the target machine.
I transferred mimikatz to the target machine to obtain the NTLM password hashes. In the picture above, I managed to obtain the NTML hash of the user account Administrator.